Validate parameter count before binding values
collinhundley opened this issue · 1 comments
Currently, no check is made to ensure that the number of parameters passed to MySQLPreparedStatement.execute() matches the number of parameters specified in the SQL statement. If the statement contains more ?s than the number of parameters provided, bindPtr extends into uninitialized memory and the state becomes undefined. In my tests, this did some bad things and took quite a while to track down.
How could we validate the parameter count before binding them? Would counting the instances of ? in the statement be sufficient? I'm not sure whether it's possible for a SQL statement to contain ? that doesn't correspond to a parameter.
I suppose ? could also be present in string literals, for example, select id from books where year > ? and title != "Where's Wally?". If string literals are not present in the query or if you can filter them out, I believe the remaining ? count should match the parameter count.